Rootkit dangers at an 'all-time high'

Industry experts at RSA Conference 2007 say not only have rootkits become the weapon of choice for malicious hackers, but they've also emerged as useful tools for legitimate businesses trying to exert control over users.

The rootkit problem is not going away any time soon. In fact, it's likely to get much worse before it gets better, according to the members of a panel on the topic at RSA Conference 2007 Tuesday.

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
"Rootkit capability is at an apex, an all-time high for the attackers," said Jamie Butler, director of engineering at software security firm HBGary Inc. in Chevy Chase, Md. "Once you're at ring zero, which is where all rootkits need to be in order to work well, it's impossible to block their actions. They can write executable code, hijack legitimate threads, all kinds of things."

Rootkits are not a new class of technology; they've been around for decades in one form or another. But in the last couple of years, their popularity and sophistication has grown by leaps and bounds as organized crime groups have adopted them as their weapons of choice for infiltrating PCs. The tools typically are designed to be installed stealthily, hide their presence on the system and allow the attacker to access the machine at any time.

As their use has grown in recent years, rootkits have steadily moved down deeper into the guts of PCs, from the operating system kernel all the way to the hardware. This, the panelists said, is a good indication of just how serious the problem now is.

"Each generation of rootkit moves lower into the system. They're implementing them in hardware now, with virtual rootkits," said Bill Arbaugh, an assistant professor of computer science at the University of Maryland and president and CTO of College Park, Md.-based rootkit detection firm Komoku Inc.

"It's a business and they're doing a pretty decent job of it," he added. "These gangs have a QA process. They do not want their software to be detected. Malware writers are using the exact techniques that security guys have been using for years."

And the advances being made by malicious hackers are constantly pushing the envelope. A new rootkit, called Unreal, that hit the Web late last month has the ability to hide both files and drivers. It's designed specifically to bypass rootkit-detection software, Arbaugh said, and does the job quite well.

All of this has attracted the attention of a number of legitimate software companies and other corporations that are interested in preventing users from modifying or misusing their products. Some legitimate software makers have taken rootkit technology and adapted it to prevent users from reverse-engineering their applications or modifying them in unauthorized ways. In 2005, Song BMG Music Entertainment Inc. set off a firestorm of controversy and customer anger after a researcher discovered the company had included a rootkit on some of its audio CDs. The technology was meant to prevent illegal copying, and the company initially defended it, but quickly backtracked and eventually settled with both the Federal Trade Commission and consumers who had sued.

"It's legitimate to self-detect whether you're software is being modified," said Greg Hoglund, who runs the Rootkit.com Web site and is a well-known software security expert. "But a lot of this other stuff is clearly not legitimate."

Read more on IT risk management